Techniki zwinne w pracy analityka policyjnego

How can effects of R&D activities
support actions in the areas of criminal
intelligence analysis and computer
forensics?
Marek Kisiel-Dorohinicki, Jacek Dajda
University of Science and Technology
Department of Computer Science
Forensic Software Laboratory
www.fslab.agh.edu.pl
Agenda
• Who are we?
• Our solutions
• What is important to
succeed?
Who are we?
Our team
• Our team origins from Department of
Computer Science at University of
Science and Technology in Kraków
• We soon understood that the strong
team needs to be diversified
Scientist (e.g. employees)
Young researches (e.g. PhD students)
Developers (e.g. former students)
Domain experts (e.g. end-users)
Technological experts (e.g. freelancers)
What we do
• From 2006 we specialize in development of tools for
homeland security forces, such as Police, Border Guard,
Public Prosecutors Office, Customs Service, Government
Protection Bureau, Military Gendarmiere
• We participated or participate (often as a leader) in 9
research & development projects, majority of which funded
by National Centre of Research and Development
• The results of these projects are working software products,
used by our end-users or ready for deployment at customers
sites
Distribution of our solutions
www.fslab.agh.edu.pl
Our users
• Currently over 1200 registered
users
• More than 1000 downloads of
single version of our most
popular product LINK
• Over 40 signed licences for our
products
Our solutions
Selected solutions
Analytical
databases
FileSeeker
LINK
WebAlert
Geospatial
analysis
LINK platform
• Extensible platform for data processing, analysis and
visualization
• Heterogeneous sources of information and various
formats and standards of the data
• Data integration based on pre-defined and userdefined models (types of analytical objects and
relations)
• The use of pre-defined models allows for domainoriented processing
Importing structural data
• Mapping
of data from tables
(eg. spreadsheets,
databases)
into domain model
• Automated
discovery of formats
• Data dalidation
Data integration on diagrams
• Visualization in form of
interactive graph
diagrams
• Ability to connect data
from different data
sources
• Identification of
duplicated entries, data
cleaning
Data visualization using geographical maps
• Handling objects and
events which have
geographical coordinates
• Multi data series
• Graphical editor which
enables user to prepare
final presentation
• Graphical time filters
• Ability to work offline
Data visualization on a timeline
• Handling any
events with a
time stamp
• Multiple object
lines
• Graphical editor
Focused statistics
• User friendly
filtering and sorting
• Statistics related to
time of event or
relationships
between objects
• Identification of
statistical anomalies
Analysis of email traffic
• Support for various
formats of inboxes
• Visualization in forms of
tables and graphs
• Ability to track the flow
of attachments and
communication
between email
addresses
Analysis of bank accounts statements
• Convenient import into predefined data model
• Embedded configurable algorithms for pattern
discovery
Selected solutions
Analytical
databases
FileSeeker
LINK
WebAlert
Geospatial
analysis
Software for computer forensic
Supported sources:
• Typical disk image formats (RAW,
DD, EnCase, AFF, AFD, AFM,
mounted files and folders)
• Partition formats: NTFS, FAT, UFS
1, UFS 2, EXT2FS, EXT3FS, EXT4,
HFS, ISO 9660
• Support for unallocated disk
space
• Support for deleted files (Recycle
Bin)
Most important file formats
•
•
•
•
MS Office, OpenOffice documents
PDF documents
Plain text files (encoding detection)
Archives – 15 types (zip, 7z, rar,
tar, gz, …)
• Multimedia files (audio, video,
graphics)
• Email (e.g. MS Outlook,
Thunderbird),
• Web browsers cache and history
Searching with the hit rate and context
NLP algorithms
Searching handles:
• different forms of
words
• Typos
• Can be extended
with dedicated
extensions (e.g.
Polish language)
Automated extraction of objects
Supported object types:
• addresses,
• emails,
• urls, phone numbers,
• bank accounts,
• passwords,
• name of companies,
• names and surnames
Selected solutions
Analytical
databases
FileSeeker
LINK
WebAlert
Geospatial
analysis
Data collecting, searching and sharing
Documents, reports
Analytical objects, connections, cases
Analysts
Operator
Advanced searching
Administrator
Support for documents processing
• Documents
registration and
tagging
• Attachments and
comments
management
• Objects and
connections
extraction
Named Entity Recognition
• Automated discovery
of analytical objects
with NLP techniques
(mainly Named Entity
Recognition)
• Support for entity
linking and building
relations between
entities
Full text searching
• Based on NLP techniques
• Searching through all data
in the system in all
attributes and fields
• Highlighting precise hits
and similar hits
• Searching for connected
objects
Data visualization
Graph of connections
Analytical objects profiles
Lists, tables, trees
Advanced data model
• Object-based
• Easily configurable and
extensible
• Versioned
Security
• User roles and groups with
hierarchies
• Document-based permission
management
• Action log per every user
Selected solutions
Analytical
databases
FileSeeker
LINK
WebAlert
Geospatial
analysis
GIS Tools
• An extension to
LINK platform
• Offers dedicated
GIS functions
supporting specific
cases related to
geospatial analysis
• Can be easily
extended with
new functions
Interesting Points Of Interests
• The idea is to quickly find POI
of specific kind which are
interesting for the current
case
• Example: finding CCTV
cameras near the crime
scene
Identification of meeting places
• Based on a time
stamp and
geographical
location it is
possible to
identify
potential
meeting places
Identification of similar tracks
• Similar to places but
extended for a series of
points
• Can be used to verify
acquaintance of two
persons based on their
phone numbers billings
• Can be used to compare
tracks with a given pattern
Selected solutions
Analytical
databases
FileSeeker
LINK
WebAlert
Geospatial
analysis
The tool concept
HTTP / JS
Searching and montoring web content
• Searching for specific domains or
starting from specific web pages
• Configuration options: depth of
searching, maximum number of
pages, etc.
• Advances language rules:
different forms of words,
searching for similar words,
searching in neighbourhood
• User dictionaries
Support for secured and dynamic sources
• Ability to macros (e.g.
login into Facebook)
• Executing JavaScripts
• Automated clicking for
web pages elements
(e.g. Show more, Show
comnments)
• Automated scrolling for
new content
Data extraction based on templates
• Extraction of important
elements to a structured
form: CSV, XLSX for
further analysis
• Example for an internet
forum: author, content
and data of a post
• Can be very useful for
internet auction portals
Final thoughts
What is import to succeed?
• Open-mindness, flexibility (e.g. agile methods
and techniques)
• Close collaboration, team work, diversity
• Proper focus on final product and goals
• Balance between innovation and working
software
• Support, availbility, maintenance